[SCM] Samba Shared Repository - branch v4-13-test updated

Karolin Seeger kseeger at samba.org
Mon May 3 09:07:01 UTC 2021


The branch, v4-13-test has been updated
       via  aae24152b8d s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success.
       via  8feeac11f7e docs: Expand the "log level" docs on audit logging
       via  83c39f1e4ee docs: underline special words in the audit logging part of "log level" in man smb.conf
       via  ef386397d34 docs: Further discourage the use of the "event notification" options
       via  78562c46bed docs: Add proper explination on why transactions need to be audited.
       via  56e4cb8f3d0 docs: Add missing documentation on dsdb_group_audit and dsdb_group_audit_json
       via  bd6f38ed8b7 debug: Synchronise "log level" in smb.conf with the code
      from  4484b030c0d VERSION: Bump version up to 4.13.9.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -----------------------------------------------------------------
commit aae24152b8d4691252fb56b095ed892e11b40bec
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Apr 29 09:50:30 2021 -0700

    s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success.
    
    Missing call to set up req->outbuf means no reply is sent.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14696
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Thu Apr 29 21:27:58 UTC 2021 on sn-devel-184
    
    (cherry picked from commit 47d79d7e7e406f7dd204ded7c72cfed3e0761ad5)
    
    Autobuild-User(v4-13-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-13-test): Mon May  3 09:06:36 UTC 2021 on sn-devel-184

commit 8feeac11f7e4453bc3c5f826ba2694ea9937b430
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Apr 16 10:43:07 2021 +1200

    docs: Expand the "log level" docs on audit logging
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit 38fe888f95f8d22736080ed521939be932e7bca0)

commit 83c39f1e4ee15ba4660a102b487eb4a44d6084dd
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Apr 15 14:40:30 2021 +1200

    docs: underline special words in the audit logging part of "log level" in man smb.conf
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit d03e7ffcff32452bb92f2ced9f06cbeab9843e04)

commit ef386397d34cedd0a7068dd2e8ff4e4d40a68e5a
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Apr 15 14:45:07 2021 +1200

    docs: Further discourage the use of the "event notification" options
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit 364b8be9816b34b2a1b07c6259345c406d68c9f2)

commit 78562c46beddf870aeb696a81f1efdac6a281de2
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Apr 15 14:44:22 2021 +1200

    docs: Add proper explination on why transactions need to be audited.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit a778a3a6420f094a953563b87f84457fdebd20a3)

commit 56e4cb8f3d008382850fa51c45c31a31193ae05e
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Apr 15 14:39:49 2021 +1200

    docs: Add missing documentation on dsdb_group_audit and dsdb_group_audit_json
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit 2e533664e756ccde8fc1b3e41e70437c9e7bafcd)

commit bd6f38ed8b7d50f93e6d629280b11d090920f133
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Apr 15 13:52:38 2021 +1200

    debug: Synchronise "log level" in smb.conf with the code
    
    This is done by pasting in the contents of default_classname_table[]
    in lib/util/debug.c into
    cut -f 2 -d \"| xargs -i sh -c 'echo "\t<listitem><para><parameter moreinfo=\"none\">{}</parameter></para></listitem>"'
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit 0d30d74e89829cc7b4faa6ba835e3d90c1c410aa)

-----------------------------------------------------------------------

Summary of changes:
 docs-xml/smbdotconf/logging/loglevel.xml           | 108 +++++++++++++++------
 .../smbdotconf/logon/autheventnotification.xml     |  17 ++--
 docs-xml/smbdotconf/misc/dsdbeventnotification.xml |  14 ++-
 .../misc/dsdbgroupchangenotification.xml           |  16 +--
 .../misc/dsdbpasswordeventnotification.xml         |  16 +--
 source3/smbd/reply.c                               |   2 +
 6 files changed, 121 insertions(+), 52 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/smbdotconf/logging/loglevel.xml b/docs-xml/smbdotconf/logging/loglevel.xml
index 273765c6fbe..4c6bb5e7e73 100644
--- a/docs-xml/smbdotconf/logging/loglevel.xml
+++ b/docs-xml/smbdotconf/logging/loglevel.xml
@@ -24,8 +24,6 @@
 	<listitem><para><parameter moreinfo="none">printdrivers</parameter></para></listitem>
 	<listitem><para><parameter moreinfo="none">lanman</parameter></para></listitem>
 	<listitem><para><parameter moreinfo="none">smb</parameter></para></listitem>
-	<listitem><para><parameter moreinfo="none">smb2</parameter></para></listitem>
-	<listitem><para><parameter moreinfo="none">smb2_credits</parameter></para></listitem>
 	<listitem><para><parameter moreinfo="none">rpc_parse</parameter></para></listitem>
 	<listitem><para><parameter moreinfo="none">rpc_srv</parameter></para></listitem>
 	<listitem><para><parameter moreinfo="none">rpc_cli</parameter></para></listitem>
@@ -41,19 +39,24 @@
 	<listitem><para><parameter moreinfo="none">msdfs</parameter></para></listitem>
 	<listitem><para><parameter moreinfo="none">dmapi</parameter></para></listitem>
 	<listitem><para><parameter moreinfo="none">registry</parameter></para></listitem>
-        <listitem><para><parameter moreinfo="none">scavenger</parameter></para></listitem>
-        <listitem><para><parameter moreinfo="none">dns</parameter></para></listitem>
-        <listitem><para><parameter moreinfo="none">ldb</parameter></para></listitem>
-        <listitem><para><parameter moreinfo="none">tevent</parameter></para></listitem>
-        <listitem><para><parameter moreinfo="none">auth_audit</parameter></para></listitem>
-        <listitem><para><parameter moreinfo="none">auth_json_audit</parameter></para></listitem>
-        <listitem><para><parameter moreinfo="none">kerberos</parameter></para></listitem>
-        <listitem><para><parameter moreinfo="none">dsdb_audit</parameter></para></listitem>
-        <listitem><para><parameter moreinfo="none">dsdb_json_audit</parameter></para></listitem>
-        <listitem><para><parameter moreinfo="none">dsdb_password_audit</parameter></para></listitem>
-        <listitem><para><parameter moreinfo="none">dsdb_password_json_audit</parameter></para></listitem>
-        <listitem><para><parameter moreinfo="none">dsdb_transaction_audit</parameter></para></listitem>
-        <listitem><para><parameter moreinfo="none">dsdb_transaction_json_audit</parameter></para></listitem>
+	<listitem><para><parameter moreinfo="none">scavenger</parameter></para></listitem>
+	<listitem><para><parameter moreinfo="none">dns</parameter></para></listitem>
+	<listitem><para><parameter moreinfo="none">ldb</parameter></para></listitem>
+	<listitem><para><parameter moreinfo="none">tevent</parameter></para></listitem>
+	<listitem><para><parameter moreinfo="none">auth_audit</parameter></para></listitem>
+	<listitem><para><parameter moreinfo="none">auth_json_audit</parameter></para></listitem>
+	<listitem><para><parameter moreinfo="none">kerberos</parameter></para></listitem>
+	<listitem><para><parameter moreinfo="none">drs_repl</parameter></para></listitem>
+	<listitem><para><parameter moreinfo="none">smb2</parameter></para></listitem>
+	<listitem><para><parameter moreinfo="none">smb2_credits</parameter></para></listitem>
+	<listitem><para><parameter moreinfo="none">dsdb_audit</parameter></para></listitem>
+	<listitem><para><parameter moreinfo="none">dsdb_json_audit</parameter></para></listitem>
+	<listitem><para><parameter moreinfo="none">dsdb_password_audit</parameter></para></listitem>
+	<listitem><para><parameter moreinfo="none">dsdb_password_json_audit</parameter></para></listitem>
+	<listitem><para><parameter moreinfo="none">dsdb_transaction_audit</parameter></para></listitem>
+	<listitem><para><parameter moreinfo="none">dsdb_transaction_json_audit</parameter></para></listitem>
+	<listitem><para><parameter moreinfo="none">dsdb_group_audit</parameter></para></listitem>
+	<listitem><para><parameter moreinfo="none">dsdb_group_json_audit</parameter></para></listitem>
     </itemizedlist>
 
     <para>To configure the logging for specific classes to go into a different
@@ -62,9 +65,9 @@
     full_audit:1@/var/log/audit.log</parameter>.</para>
 
     <para>Authentication and authorization audit information is logged
-    under the auth_audit, and if Samba was not compiled with
+    under the <parameter>auth_audit</parameter>, and if Samba was not compiled with
     --without-json, a JSON representation is logged under
-    auth_json_audit.</para>
+    <parameter>auth_json_audit</parameter>.</para>
 
     <para>Support is comprehensive for all authentication and authorisation
     of user accounts in the Samba Active Directory Domain Controller,
@@ -72,7 +75,8 @@
     the file server, NTLM authentication, SMB and RPC authorization is
     covered.</para>
 
-    <para>Log levels for auth_audit and auth_audit_json are:</para>
+    <para>Log levels for <parameter>auth_audit</parameter> and
+    <parameter>auth_audit_json</parameter> are:</para>
     <itemizedlist>
 	<listitem><para>2: Authentication Failure</para></listitem>
 	<listitem><para>3: Authentication Success</para></listitem>
@@ -80,21 +84,69 @@
 	<listitem><para>5: Anonymous Authentication and Authorization Success</para></listitem>
     </itemizedlist>
 
-    <para>Changes to the sam.ldb database are logged
-    under the dsdb_audit and a JSON representation is logged under
-    dsdb_json_audit.</para>
+    <para>Changes to the AD DC <command moreinfo="none">sam.ldb</command>
+    database are logged under the <parameter>dsdb_audit</parameter>
+    and a JSON representation is logged under
+    <parameter>dsdb_json_audit</parameter>.</para>
+
+    <para>Group membership changes to the AD DC <command
+    moreinfo="none">sam.ldb</command> database are logged under the
+    <parameter>dsdb_group_audit</parameter> and a JSON representation
+    is logged under
+    <parameter>dsdb_group_json_audit</parameter>.</para>
+
+    <para>Log levels for <parameter>dsdb_audit</parameter>,
+    <parameter>dsdb_json_audit</parameter>,
+    <parameter>dsdb_group_audit</parameter>,
+    <parameter>dsdb_group_json_audit</parameter> and
+    <parameter>dsdb_json_audit</parameter> are:</para>
+    <itemizedlist>
+	<listitem><para>5: Database modifications</para></listitem>
+	<listitem><para>5: Replicated updates from another DC</para></listitem>
+    </itemizedlist>
 
-    <para>Password changes and Password resets are logged under
-    dsdb_password_audit and a JSON representation is logged under the
-    dsdb_password_json_audit.</para>
+    <para>Password changes and Password resets in the AD DC are logged
+    under <parameter>dsdb_password_audit</parameter> and a JSON
+    representation is logged under the
+    <parameter>dsdb_password_json_audit</parameter>.  Password changes
+    will also appears as authentication events via
+    <parameter>auth_audit</parameter> and
+    <parameter>auth_audit_json</parameter>.</para>
+
+    <para>Log levels for <parameter>dsdb_password_audit</parameter> and
+    <parameter>dsdb_password_json_audit</parameter> are:</para>
+    <itemizedlist>
+	<listitem><para>5: Successful password changes and resets</para></listitem>
+    </itemizedlist>
 
     <para>Transaction rollbacks and prepare commit failures are logged under
-    the dsdb_transaction_audit and a JSON representation is logged under the
-    password_json_audit. Logging the transaction details allows the
-    identification of password and sam.ldb operations that have been rolled
-    back.</para>
+    the <parameter>dsdb_transaction_audit</parameter> and a JSON representation is logged under the
+    <parameter>dsdb_transaction_json_audit</parameter>. </para>
+
+    <para>Log levels for <parameter>dsdb_transaction_audit</parameter> and
+    <parameter>dsdb_transaction_json</parameter> are:</para>
+
+    <itemizedlist>
+	<listitem><para>5: Transaction failure (rollback)</para></listitem>
+	<listitem><para>10: Transaction success (commit)</para></listitem>
+    </itemizedlist>
 
+    <para>Transaction roll-backs are possible in Samba, and whilst
+    they rarely reflect anything more than the failure of an
+    individual operation (say due to the add of a conflicting record),
+    they are possible.  Audit logs are already generated and sent to
+    the system logs before the transaction is complete.  Logging the
+    transaction details allows the identification of password and
+    <command moreinfo="none">sam.ldb</command> operations that have
+    been rolled back, and so have not actually persisted.</para>
 
+    <warning><para> Changes to <command
+    moreinfo="none">sam.ldb</command> made locally by the <command
+    moreinfo="none">root</command> user with direct access to the
+    database are not logged to the system logs, but to the
+    administrator's own console.  While less than ideal, any user able
+    to make such modifications could disable the audit logging in any
+    case. </para></warning>
 </description>
 <value type="default">0</value>
 <value type="example">3 passdb:5 auth:10 winbind:2</value>
diff --git a/docs-xml/smbdotconf/logon/autheventnotification.xml b/docs-xml/smbdotconf/logon/autheventnotification.xml
index 1ae2dbfb61a..87ccf02a8f4 100644
--- a/docs-xml/smbdotconf/logon/autheventnotification.xml
+++ b/docs-xml/smbdotconf/logon/autheventnotification.xml
@@ -10,16 +10,19 @@
 	registering as the service
 	<filename moreinfo="none">auth_event</filename>.</para>
 
-	<para>This should be considered a developer option (it assists
-	in the Samba testsuite) rather than a facility for external
-	auditing, as message delivery is not guaranteed (a feature
-	that the testsuite works around).  Additionally Samba must be
-	compiled with the jansson support for this option to be
-	effective.</para>
+	<para>This is <emphasis>not</emphasis> needed for the audit
+	logging described in <smbconfoption name="log level"/>.</para>
+
+	<para>Instead, this should instead be considered a developer
+	option (it assists in the Samba testsuite) rather than a
+	facility for external auditing, as message delivery is not
+	guaranteed (a feature that the testsuite works around).</para>
 
 	<para>The authentication events are also logged via the normal
 	logging methods when the <smbconfoption name="log level"/> is
-	set appropriately.</para>
+	set appropriately, say to
+	<command moreinfo="none">auth_json_audit:3</command>.</para>
+
 </description>
 
 <value type="default">no</value>
diff --git a/docs-xml/smbdotconf/misc/dsdbeventnotification.xml b/docs-xml/smbdotconf/misc/dsdbeventnotification.xml
index 7df46e1d68c..279ac3d29ef 100644
--- a/docs-xml/smbdotconf/misc/dsdbeventnotification.xml
+++ b/docs-xml/smbdotconf/misc/dsdbeventnotification.xml
@@ -10,14 +10,18 @@
 	registering as the service
 	<filename moreinfo="none">dsdb_event</filename>.</para>
 
-	<para>This should be considered a developer option (it assists
-	in the Samba testsuite) rather than a facility for external
-	auditing, as message delivery is not guaranteed (a feature
-	that the testsuite works around).</para>
+	<para>This is <emphasis>not</emphasis> needed for the audit
+	logging described in <smbconfoption name="log level"/>.</para>
+
+	<para>Instead, this should instead be considered a developer
+	option (it assists in the Samba testsuite) rather than a
+	facility for external auditing, as message delivery is not
+	guaranteed (a feature that the testsuite works around).</para>
 
 	<para>The Samba database events are also logged via the normal
 	logging methods when the <smbconfoption name="log level"/> is
-	set appropriately.</para>
+	set appropriately, say to
+	<command moreinfo="none">dsdb_json_audit:5</command>.</para>
 
 </description>
 
diff --git a/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml b/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml
index 6354979538b..3972e72b60f 100644
--- a/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml
+++ b/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml
@@ -10,14 +10,18 @@
 	registering as the service
 	<filename moreinfo="none">dsdb_group_event</filename>.</para>
 
-	<para>This should be considered a developer option (it assists
-	in the Samba testsuite) rather than a facility for external
-	auditing, as message delivery is not guaranteed (a feature
-	that the testsuite works around).</para>
+	<para>This is <emphasis>not</emphasis> needed for the audit
+	logging described in <smbconfoption name="log level"/>.</para>
 
-	<para>The group events are also logged via the normal
+	<para>Instead, this should instead be considered a developer
+	option (it assists in the Samba testsuite) rather than a
+	facility for external auditing, as message delivery is not
+	guaranteed (a feature that the testsuite works around).</para>
+
+	<para>The Samba database events are also logged via the normal
 	logging methods when the <smbconfoption name="log level"/> is
-	set appropriately.</para>
+	set appropriately, say to
+	<command moreinfo="none">dsdb_group_json_audit:5</command>.</para>
 
 </description>
 
diff --git a/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml b/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml
index 984321b98fc..cd2cc98ff42 100644
--- a/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml
+++ b/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml
@@ -10,14 +10,18 @@
 	events by registering as the service
 	<filename moreinfo="none">password_event</filename>.</para>
 
-	<para>This should be considered a developer option (it assists
-	in the Samba testsuite) rather than a facility for external
-	auditing, as message delivery is not guaranteed (a feature
-	that the testsuite works around).</para>
+	<para>This is <emphasis>not</emphasis> needed for the audit
+	logging described in <smbconfoption name="log level"/>.</para>
 
-	<para>The password events are also logged via the normal
+	<para>Instead, this should instead be considered a developer
+	option (it assists in the Samba testsuite) rather than a
+	facility for external auditing, as message delivery is not
+	guaranteed (a feature that the testsuite works around).</para>
+
+	<para>The Samba database events are also logged via the normal
 	logging methods when the <smbconfoption name="log level"/> is
-	set appropriately.</para>
+	set appropriately, say to
+	<command moreinfo="none">dsdb_password_json_audit:5</command>.</para>
 
 </description>
 
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index f911fc006a3..a0da2910350 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -7093,6 +7093,8 @@ void reply_printwrite(struct smb_request *req)
 
 	DEBUG(3, ("printwrite %s num=%d\n", fsp_fnum_dbg(fsp), numtowrite));
 
+	reply_outbuf(req, 0, 0);
+
 	END_PROFILE(SMBsplwr);
 	return;
 }


-- 
Samba Shared Repository



More information about the samba-cvs mailing list